Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a webhook/HTTP callback for results? #21

Open
woodruffw opened this issue Jul 19, 2022 · 3 comments
Open

Provide a webhook/HTTP callback for results? #21

woodruffw opened this issue Jul 19, 2022 · 3 comments

Comments

@woodruffw
Copy link
Member

This was just a random thought I had: some users might want to integrate the results of this action's workflow run(s) into other alerting systems, like a Slack channel.

Supporting every possible integration would be tedious, so we could instead allow a user to specify a URL that the action would perform an HTTP POST to if one or more vulnerabilities were found. For example:

with:
  webhook: https://some.custom.domain.example.com/pip-audit

Not sure if this is a good idea or not, but wanted to record it.

@felixogg-britned
Copy link

It's a great idea, but I am mostly looking to just commit the results to a file in the same github action execution, so it gets tracked as a repo file. I could not work out how to send output in markdown format to a local file.

@woodruffw
Copy link
Member Author

You can currently use outputs.internal-be-careful-ouput for that. That may or may not be idea for your case, however, since that output is the human-readable column format and not JSON.

See:

outputs:
internal-be-careful-output:
description: "the column-formatted output from pip-audit, wrapped as base64"
value: "${{ steps.pip-audit.outputs.output }}"

#4 is a related issue for providing machine-readable outputs.

@felixogg-britned
Copy link

Learned a lot of new things trying to tend to this one. I copied the code I managed to blend this into below for anyone like myself who is less familiar with GitHub Actions configuration.

    - id: gen-cve-output
      uses: pypa/gh-action-pip-audit@v1.1.0
      with:
        inputs: $GITHUB_WORKSPACE/tmp/requirements.txt

    # Store results of the run to $GITHUB_WORKSPACE/security_scans.md
    - name: store_to_markdown
      run: |
        echo "storing to file: ${{ steps.gen-cve-output.outputs.internal-be-careful-output }}"
        echo ${{ steps.gen-cve-output.outputs.internal-be-careful-output }} > $GITHUB_WORKSPACE/security_scans.md
        echo "saved."

    - name: create_pr
      uses: peter-evans/create-pull-request@v7
      with:
        commit-message: "Pip-audit found issues"
        branch-suffix: timestamp
        branch: pip-audit-issues
        title: "Pip-audit found CVE security issues 🚨"

So,

  1. thanks!
  2. furthermore, the output generated is plain empty string in case of no issues. I would have liked a way to output the literal output I also get from running pip-audit on the command line, which is more explicit "There is no security risk known now." It would be great if you can take that on as feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@woodruffw @felixogg-britned and others